b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n           United States Patent\n          and Trademark Office\n\n\n   FY 2009 FISMA Assessment of \n\n              Enterprise UNIX \n\n         Services System (EUS) \n\n                 (PTOI-010-00) \n\n         Final Inspection Report No. OAE-19729\n                                 November 2009\n\n\n\n\n                     Office of Audit and Evaluation\n\x0c                                                  UNITED STATES DEPARTMENT OF COMMERCE\n                                                  Office of Inspector General\n                                                  Washington. D.C. 20230\n\n\n\n\nNovember 20, 2009\n\nMEMORANDUM FOR:\t David Kappos\n                 Under Secretary of Commerce for Intellectual Property\n                 and Director of the United States Patent and Trademark\n                 Office\n\n\n\nFROM:\t                    Allen Crawley\n                          Assistant Inspector General\n                          for Systems Acquisition and IT Security\n\nSUBJECT:\t                  United States Patent and Trademark Office\n                           FY 2009 FISi\\l[A Assessment of Enterprise UNIX Services\n                           System (EUS) (PTOI-OIO-OO)\n                           Final Inspection Report No. OAE-19729\n\n\nThis report presents the results of our Federal Information Security Management\nAct (FISMA) review of USPTO's certification and accreditation of the Enterprise\nUNIX Services system.\n\nWe found that the authorizing official received sufficient information to make a\ncredible, risk-based decision to approve system operation. However, we also\nidentified several security plan inaccuracies and control assessment deficiencies,\nand OIG's own assessment of selected security controls found vulnerabilities that\nrequire remediation.\n\nIn its response to our draft report, USPTO concurred with all our findings and\nrecommendations. USPTO's response is summarized in the appropriate sections of\nthe report. USPTO's response is included in its entirety as appendix A.\n\nWe request that you provide us with an action plan describing the actions you have\ntaken or plan to take in response to our recommendations within 60 calendar days\nof the date of this report. A plan of action and milestones should be used to\ncommunicate the plan as required by FISMA.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during\nour evaluation. If you would like to discuss any of the issues raised in this report,\nplease call me at (202) 482-1855.\n\x0cAttachment\n\ncc: \t Suzanne Hilding, Chief Information Officer, U.S. Department of Commerce\n      John B. Owens II, chief information officer, USPTO\n      Rod Turk, director, office of policy and governance, USPTO\n      Welton Lloyd, USPTO audit liaison\n\x0c                                Report In Brief\n                                       U.S. Department of Commerce, Of\xef\xac\x81ce of Inspector General\n                                                           November 2009\n\nWhy We Did This Review United States Patent and Trademark Of\xef\xac\x81ce (USPTO)\nThe Federal Information\nSecurity Management Act of          FY 2009 FISMA Assessment of the Enterprise UNIX Ser-\n2002 (FISMA) requires federal\nagencies to identify and provide\n                                   vices System (OAE-19729)\nsecurity protection of informa-\ntion collected or maintained by What We Found\nit or on its behalf. Inspectors\ngeneral are required to annually\n                                   We evaluated certi\xef\xac\x81cation and accreditation activities for the Enterprise UNIX\nevaluate agencies\xe2\x80\x99 information\n                                   Services (EUS) system as part of our FY 2009 reporting responsibilities under\nsecurity programs and practices.\n                                   the Federal Information Security Management Act (FISMA).\nSuch evaluations must include\ntesting of a representative subset\n                                   We found that while the security plan was generally adequate, some inaccuracies\nof systems and an assessment,\n                                   need to be addressed. Security control assessments were generally adequate but\nbased on that testing, of the\n                                   improvements are needed, and our control assessment found some vulnerabilities\nentity\xe2\x80\x99s compliance with FISMA\n                                   that require remediation. Despite these de\xef\xac\x81ciencies, the authorizing of\xef\xac\x81cial re-\nand applicable requirements.\n                                     ceived suf\xef\xac\x81cient information to make a credible, risk-based decision to approve\n                                     system operation.\nThis review covers our evalua-\ntion of USPTO\xe2\x80\x99s EUS system,\nwhich is one of a sample of sys-\ntems we assessed in FY 2009.\n\n\n\nBackground\n\nEUS is a general support system\nthat comprises various operating\nsystems and databases. The pur-\npose of this system is to provide What We Recommend\na hosting platform and databases\nthat support major USPTO ap- In order to ensure the EUS system complies with FISMA requirements, USPTO\nplications.                       should resolve the de\xef\xac\x81ciencies we reported. USPTO agrees with our \xef\xac\x81ndings,\n                                     and has identi\xef\xac\x81ed the corrective actions it needs to take to address our recom-\nC&A is a process by which            mendations.\nsecurity controls for IT sys-\ntems are assessed to determine\ntheir overall effectiveness.\nUnderstanding the remaining\nvulnerabilities identi\xef\xac\x81ed during\nthe assessment is essential in\ndetermining the risk to the orga-\nnization\xe2\x80\x99s operations and assets,\nto individuals, to other organiza-\ntions, and to the nation resulting\nfrom the use of the system.\n\x0c                       OIG FY 2009 FISMA Assessment\n\n\nListing of Abbreviated Terms and Acronyms\n\n\n\nAIS          automated information system\nC&A          certification and accreditation\nCALS         Centralized Audit Log System\nERA          Enterprise Remote Access\nEUS          Enterprise UNIX Services\nFISMA        Federal Information Security Management Act of 2002\nIT           information technology\n\n\nNIST         National Institute of Standards and Technology\nNIST SP      National Institute of Standards and Technology Special Publication\nNSI          Network and Security Infrastructure\n\n\nSSP          system security plan\nUSPTO        United States Patent and Trademark Office\nUSSS         UNIX Systems Services Section\n\n\n\n\n                                    Page 1\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n Synopsis of Findings\n\n      \xe2\x80\xa2   Security plan was generally adequate but inaccuracies need to be addressed.\n\n      \xe2\x80\xa2   Security control assessments were generally adequate but improvements are\n          needed.\n\n      \xe2\x80\xa2   OIG control assessment found vulnerabilities requiring remediation.\n\n\n Conclusion\n\n Despite security plan inaccuracies and control assessment deficiencies, the authorizing\n official received sufficient information to make a credible, risk-based decision to approve\n system operation.\n\n\n\n\nSummary of USPTO Response\n\nIn its response to our draft report, the United States Patent and Trademark Office (USPTO)\nconcurred with all of our findings and recommendations (see appendix A). USPTO requested\nadditional information related to one of our findings.\n\nIn addition, USPTO identified actions it will take to address our findings and recommendations.\n\nOIG Comments\n\nUSPTO concurred with our findings and recommendations and provided corrective actions to\naddress them.\n\nWe also provided the requested information to USPTO. We address specific elements of\nUSPTO\xe2\x80\x99s response in the applicable sections of the report.\n\n\n\n\n                                              Page 2\n\x0c                              OIG FY 2009 FISMA Assessment\n\n\n\nIntroduction\n We evaluated the certification and accreditation for the Enterprise UNIX Services (EUS)\n system. For our complete objectives, scope, and methodology, see appendix B.\n\n The EUS system is a general support system that comprises UNIX-based operating\n systems and         databases. The purpose of this system is to provide a hosting platform\n and databases that support major USPTO applications. The system was authorized to\n operate on May 5, 2009. At that time, there were\n\n\n                                                   .\n\n USPTO has characterized EUS as a\n                                      effect on organizational operations, organizational\n assets, or individuals.\n\n\n\n\n                                          Page 3\n\x0c                                    OIG FY 2009 FISMA Assessment\n\nFindings and Recommendations\n\n    1. Security Plan was Generally Adequate but Inaccuracies Need to be\n       Addressed\n    \xe2\x80\xa2   The initiation-phase security plan generally provided adequate implementation\n        descriptions for applicable security controls and identified controls as system-specific,\n        common,1 or hybrid.2\n        o The security plan referenced system boundary documents that adequately described\n           the accreditation boundary.\n\n    \xe2\x80\xa2   The security plan was updated to reflect the results of security certification; however,\n        some improvements are needed.\n        o The initiation phase security plan identified 54 controls with system-specific\n           implementations. However, during the certification phase, 11 additional system-\n           specific controls were identified.\n        o The security plan states that the control Session Authenticity (SC-23) is not\n           applicable to the system.\n\n                                                        Thus, the control is applicable to EUS and\n            should be described in the security plan.\n        o   The security plan states that the control Time Stamps (AU-8) is a common control.\n            However, information technology (IT) products in the system must be configured to\n            use the appropriate time server. This configuration setting is the responsibility of\n            EUS, so AU-8 should be identified as a hybrid control.\n        o   The following security control implementation descriptions need improvement.\n            \xe2\x80\xa2 Access Enforcement (AC-3).\n\n\n            \xc2\x83   Response to Audit Processing Failures (AU-5). The control description only\n                addresses file system capacity and does not address other failures such as\n                failure in the                .\n            \xc2\x83   User Identification and Authentication (IA-2). The control description does not\n                reference appropriate policies that identify USPTO requirements for password\n                complexity. As a result, these requirements were not assessed (see finding 3).\n            \xc2\x83   Configuration Settings (CM-6).\n\n\n\n\n1\n  Common control: a security control that applies to one or more agency systems. A common\ncontrol is developed, implemented, and assessed by a responsible official other than the\ninformation system owner.\n2\n  Hybrid control: a designation given to a security control in situations in which one part of the\ncontrol is deemed to be common, while another part of the control is deemed to be system-\nspecific.\n3\n\n\n\n\n                                                 Page 4\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n Recommendation\n\n 1.1 USPTO should ensure that the security plan is updated to correct the inaccuracies noted.\n\n\n\n\nUSPTO Response\n\nUSPTO concurred with this finding and our recommendation.\n\n\n\n\n                                            Page 5\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n2. Security Control Assessments Were Generally Adequate but\n   Improvements Are Needed\n \xe2\x80\xa2   System-specific control assessments were generally adequate.\n     o Assessments were performed on an adequate set of system components.\n     o Results, in general, were sufficiently supported by evidence.\n     o Procedures were adequate to assess security control requirements.\n\n \xe2\x80\xa2   Controls implemented on                  servers were not adequately assessed.\n     o The servers were scanned for vulnerabilities.\n     o Certification test results indicate that two controls were assessed. However, issues\n        identified during the assessment were not reported to the authorizing official,\n        recorded in the security assessment report, or included in the plan of action and\n        milestones.\n        \xc2\x83\n\n\n\n         \xc2\x83\n\n\n     o   Eighteen additional controls implemented on these servers were not assessed (for\n         example, controls from the\n                                          families).\n\n \xe2\x80\xa2   Assessments of the following controls on the UNIX-based servers were inadequate.\n     o Control assessments for Access Enforcement (AC-3)\n\n     o   Control assessments for User Identification and Authentication (IA-2)\n\n     o   Compliance scans to assess Authenticator Management (IA-5)\n\n\n \xe2\x80\xa2   Assessment results were not included for the following security controls that are\n     provided by other systems.\n     o                                                     The security plan states that the\n         system relies on the CALS, which is part of the Network and Security Infrastructure\n         system.\n     o                                            The security plan states that this control is\n         provided by another system but does not identify the system.\n     o                                     The security plan states that this control is provided\n         by the Enterprise Remote Access (ERA) system.\n     o                                                                              The security\n         plan states that this is provided by CALS.\n     o                                                                     The security plan\n         states that this control is provided by ERA.\n\n \xe2\x80\xa2   Assessment procedures for the following common security controls called for an\n     examination or test of actual system components, but only document reviews or\n     interviews were conducted.\n     o\n\n\n\n\n                                             Page 6\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n\n      o\n\n      o\n\n      o\n\n      o\n\n\n Recommendations\n\n USPTO should ensure that\n\n 2.1 controls implemented on the \t                are assessed and any deficiencies are briefed\n     to the authorizing official and appropriate plan of action and milestones items are created;\n 2.2 inadequacies identified for security controls AC-3, IA-2, and IA-5 are corrected prior to\n     conducting future control assessments;\n 2.3 assessment results for controls provided by other systems are presented to the\n     authorizing official; and\n 2.4 common control assessment procedures requiring an examination or test of system\n     components are performed.\n\n\n\nUSPTO Response\n\nUSPTO concurred with this finding and our recommendations. USPTO requested that we identify\nthe 18 additional controls that were not assessed on            so it could plan appropriate\ncorrective actions.\n\nOIG Comments\n\nWe provided USPTO the requested information via e-mail.\n\n\n\n\n                                             Page 7\n\x0c                                    OIG FY 2009 FISMA Assessment\n\n\n\n3. OIG Control Assessment Found Vulnerabilities Requiring\n   Remediation\n\n    As part of OIG\xe2\x80\x99s FY 2009 Federal Information Security Management Act of 2002 (FISMA)\n    evaluation of EUS, we assessed a targeted set of system components to determine if\n    selected security controls are properly assessed and implemented on applicable IT\n    products. We tailored our procedures to the system\xe2\x80\x99s specific control implementations.\n\n    \xe2\x80\xa2    OIG assessments identified the following weaknesses in National Institute of\n         Standards and Technology Special Publication (NIST SP) 800-53 controls that were\n         not identified by the certification team and need to be addressed.\n         o\n              \xe2\x80\xa2\n              \xe2\x80\xa2\n              \xe2\x80\xa2\n              \xe2\x80\xa2\n              \xe2\x80\xa2\n              \xe2\x80\xa2\n         o\n              \xe2\x80\xa2\n              \xe2\x80\xa2\n\n    \xe2\x80\xa2   Details of NIST SP 800-53 controls that we assessed are listed in table 1.\n\n    \xe2\x80\xa2   Components selected for OIG control assessment are listed in appendix C.\n\n    Recommendation\n\n    3.1 USPTO should add the vulnerabilities identified in table 1 to the system\xe2\x80\x99s plan of action\n        and milestones and remediate them accordingly.\n\n\n\nUSPTO Response\n\nUSPTO concurred with this finding and our recommendation.\n\n\n\n\n5\n\n\n\n\n                                                Page 8\n\x0c                                          OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. OIG Control Assessment Results\nSecurity        NIST SP 800-53                 EUS Assessment Results (Excerpts)   OIG Assessment\nControl         Requirement                                                            Results\n\n\n\n\n                                                     Page 9\n\x0c                                          OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. OIG Control Assessment Results\nSecurity        NIST SP 800-53                 EUS Assessment Results (Excerpts)   OIG Assessment\nControl         Requirement                                                            Results\n\n\n\n\n                                                    Page 10\n\n\x0c                                          OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. OIG Control Assessment Results\nSecurity        NIST SP 800-53                 EUS Assessment Results (Excerpts)   OIG Assessment\nControl         Requirement                                                            Results\n\n\n\n\n                                                    Page 11\n\n\x0c                                          OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. OIG Control Assessment Results\nSecurity        NIST SP 800-53                 EUS Assessment Results (Excerpts)   OIG Assessment\nControl         Requirement                                                            Results\n\n\n\n\n                                                    Page 12\n\n\x0c                                          OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. OIG Control Assessment Results\nSecurity        NIST SP 800-53                 EUS Assessment Results (Excerpts)   OIG Assessment\nControl         Requirement                                                            Results\n\n\n\n\n                                                    Page 13\n\x0c                                          OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. OIG Control Assessment Results\nSecurity        NIST SP 800-53                 EUS Assessment Results (Excerpts)   OIG Assessment\nControl         Requirement                                                            Results\n\n\n\n\n                                                    Page 14\n\n\x0c                                          OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 1. OIG Control Assessment Results\nSecurity        NIST SP 800-53                 EUS Assessment Results (Excerpts)   OIG Assessment\nControl         Requirement                                                            Results\n\n\n\n\n                                                    Page 15\n\n\x0c                       OIG FY 2009 FISMA Assessment\n\nAppendix A: USPTO\xe2\x80\x99s Response to Findings\n\n\n\n\n                                 Page 16\n\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 17\n\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 18\n\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 19\n\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 20\n\n\x0cOIG FY 2009 FISMA Assessment\n\n\n\n\n          Page 21\n\n\x0c                               OIG FY 2009 FISMA Assessment\n\n\nAppendix B: Objectives, Scope, and Methodology\n\n    To meet FY 2009 FISMA reporting requirements, we evaluated the certification and\n    accreditation for the United States Patent and Trademark Office (USPTO) Enterprise\n    UNIX Services (EUS) system.\n    Security certification and accreditation packages contain three elements, which form the\n    basis of an authorizing official\xe2\x80\x99s decision to accredit a system:\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security\n        controls, and the details of how the requirements are being met. The security plan\n        provides a basis for assessing security controls and also includes other documents\n        such as the system risk assessment and contingency plan, per Department policy.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment\n        and recommendations for correcting control deficiencies or mitigating identified\n        vulnerabilities. This report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action and milestones is based on the results of the security\n        assessment. It documents actions taken or planned to address remaining\n        vulnerabilities in the system.\n\nThe Department\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards\nrequires that certification and accreditation (C&A) packages contain a certification\ndocumentation package of supporting evidence of the adequacy of the security assessment.\nTwo important components of this documentation are\n\n    \xe2\x80\xa2   the certification test plan, which documents the scope and procedures for testing\n        (assessing) the system\xe2\x80\x99s ability to meet control requirements; and\n    \xe2\x80\xa2   the certification test results, which is the raw data collected during the assessment.\n\nTo evaluate the certification and accreditation, we reviewed all components of the C&A\npackage and interviewed USPTO staff to clarify any apparent omissions or discrepancies in\nthe documentation and gain further insight on the extent of the security assessment. We\nevaluated the security plan and assessment results for applicable security controls and will\ngive substantial weight to the evidence that supports the rigor of the security assessment\nwhen reporting our findings to the Office of Management and Budget.\n\nIn addition, we performed our own assessment of a targeted selection of controls (see\nappendix B-1). We conducted our assessment using a subset of procedures from NIST SP\n800-53A, which we tailored to EUS\xe2\x80\x99 specific control implementations. We did not attempt to\nperform a complete assessment of each control; instead we chose to focus on specific\ntechnical and operational elements.\n\nWe assessed controls on key classes of IT components, choosing a targeted set of\ncomponents from each class that would allow for direct comparison with USPTO\xe2\x80\x99s\ncertification test results. We assessed controls on\nand                      . We also performed compliance scanning using Nessus.\n\nOur assessment included the following activities:\n\n    \xe2\x80\xa2   extraction, examination, and verification of system configurations\n    \xe2\x80\xa2   execution of scripts and manual checklists\n    \xe2\x80\xa2   examination of system logs\n    \xe2\x80\xa2   review of account management procedures\n    \xe2\x80\xa2   vulnerability scanning of network-addressable components\n\n\n\n\n                                           Page 22\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n    \xe2\x80\xa2\t   examination/analysis of security plan descriptions, including related policy and\n         procedure documents\n    \xe2\x80\xa2\t   interviews with appropriate USPTO personnel\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive\nreview that a security certification for a                system would require. It gave us\ndirect assurance of the status of select aspects of important system controls and provided\nmeaningful comparison with USPTO\xe2\x80\x99s security certification.\n\nWe used the following review criteria:\n\n    \xe2\x80\xa2\t   FISMA\n    \xe2\x80\xa2\t   U.S. Department of Commerce IT Security Program Policy and Minimum \n\n         Implementation Standards, June 30, 2005 \n\n    \xe2\x80\xa2\t   National Institute of Standards and Technology (NIST) Federal Information \n\n         Processing Standards \n\n             o\t Publication 199, Standards for Security Categorization of Federal Information\n                 and Information Systems\n             o\t Publication 200, Minimum Security Requirements for Federal Information and\n                 Information Systems\n    \xe2\x80\xa2\t   NIST Special Publications:\n             o\t 800-18, Guide for Developing Security Plans for Information Technology\n                 Systems\n             o\t 800-37, Guide for the Security Certification and Accreditation of Federal\n                 Information Systems\n             o\t 800-53, Recommended Security Controls for Federal Information Systems\n             o\t 800-53A, Guide for Assessing the Security Controls in Federal Information\n                 Systems\n             o\t 800-70, Security Configuration Checklists Program for IT Products\n             o\t 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections (revised January 2005), issued by the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\n\n\n                                            Page 23\n\x0c                            OIG FY 2009 FISMA Assessment\n\n\n\n\nAppendix B-1: NIST SP 800-53 Security Controls Assessed by OIG\n\n  \xe2\x80\xa2   AC-2   Account Management, Enhancements 1 to 4\n  \xe2\x80\xa2   AC-3   Access Enforcement\n  \xe2\x80\xa2   AC-6   Least Privilege\n  \xe2\x80\xa2   AC-7   Unsuccessful Login Attempts\n  \xe2\x80\xa2   AC-8   System Use Notification\n  \xe2\x80\xa2   AU-6   Audit Monitoring, Analysis, and Reporting\n  \xe2\x80\xa2   AU-8   Time Stamps\n  \xe2\x80\xa2   IA-2   User Identification and Authentication\n  \xe2\x80\xa2   IA-5   Authenticator Management\n\n\n\n\n                                      Page 24\n\x0c                      OIG FY 2009 FISMA Assessment\n\n\n\n\nAppendix C: Components Assessed by OIG\nName          IP Address    Zone                     Operating System\n\n\n\n\n                                Page 25\n\n\x0c"